The mailing list for listmasters using Sympa

[Christian Dahlhausen <address@concealed>]

Olivier,
merci for the quick response. 

I looked at the Shibboleth/Sympa documentation, it should be all set. However I am using Shibboleth 1.3. Here are some snippets of my configuration

shibboleth.xml::

<Host name="server1.mail.virginia.edu">
                    <Path name="secure" applicationId="default" authType="shibboleth" requireSession="true" exportAssertion="true"/>

                    <Path name="sympa" applicationId="default" authType="shibboleth" requireSession="true" exportAssertion="true" />
                </Host>

                <Host name="lists.virginia.edu" applicationId="sympa-lists">
                    <Path name="secure" applicationId="sympa-lists" authType="shibboleth" requireSession="true" exportAssertion="true"/>

                    <Path name="sympa" applicationId="sympa-lists" authType="shibboleth" requireSession="true" exportAssertion="true" />
                </Host>

[...]
  <Application id="sympa"
                     providerId="https://servername1.mail.virginia.edu/sympa"
                     homeURL="https://servername1.mail.virginia.edu/sympa">

            <Sessions handlerURL="/Shibboleth.sso/incommon"
                      handlerSSL="true"
                      cookieProps="; path=/sympa; secure"
                      checkAddress="false"

                      lifetime="7200" timeout="3600" />
        </Application>
[...]  
<Application id="sympa-lists"
                     providerId="https://servername2.virginia.edu/sympa"

                     homeURL="https://servername2.virginia.edu/sympa/sso_login/incommon">
            <Sessions handlerURL="/Shibboleth.sso/incommon"

                      handlerSSL="true"
                      cookieProps="; path=/sympa; secure"
                      checkAddress="false"
                      lifetime="7200" timeout="3600"/>

        </Application>

auth.conf::
generic_sso
  service_name          NetBadge
  service_id            incommon
  http_header_prefix    HTTP_SHIB
  email_http_header     REMOTE_USER

Both Sympa robots are configured as https virtual hosts in a single wild card host entry

default-ssl::
<VirtualHost *:443>
        ServerName servername1.mail.virginia.edu
        DocumentRoot /var/www-ssl
[..]

<Location /sympa/sso_login/incommon>

   AuthType shibboleth
   ShibRequireSession On
   require valid-user
  AddHandler fcgi-script .fcgi
#ShibExportAssertion on
#ShibApplicationID sympa-lists
</Location>
</Virtualhost>


The Shibboleth login on servername1.mail.virginia.edu works just fine, servername2.virginia.edu however doesn't receive and REMOTE_USER info.

2010/5/5 Olivier Salaün <address@concealed>

Hello Christian,

I suppose that you wish to have Shibboleth authentication enabled on all your Sympa robots.
Then configuring the generic_sso parameters on the default auth.conf is enough to have applied to all virtual robots. The piece of log that you provide tells me that authentication does use sso_login(), which is a good sign.

The errror message you get "no REMOTE_USER HTTP header set" could reflect an issue in the Apache configuration. You should make sure that Shibboleth authentication is activated on all your Apache virtual hosts.

Just in case you missed it, here is the Shibb+Sympa documentation : <http://www.sympa.org/manual/authentication#setting_up_a_shibboleth-enabled_sympa_server>

If you need further help, you should provide more informations on your setup (auth.conf file + Apache configuration).

Le 04/05/2010 22:25, Christian Dahlhausen a écrit :

I have set up Sympa 5.3.4. with Shibboleth 1.3 on a Ubuntu 8.04LTS. Shibboleth and Sympa should be configured correctly since I can log in on the main Sympa robot. However I cannot login in other robots on the same machine.
May  4 16:17:42 hops wwsympa[21738]: [robot xyz] [client 111.222.333.444 ] main::do_sso_login() do_sso_login: user could not be identified, no REMOTE_USER HTTP header set

Does anybody have a similar setting or ran in a similar problem?

-- 
-----------------------------------------------------------
Christian Dahlhausen, Network Systems Engineer
University of Virginia - ITC Network Systems 

PO Box 400324, 2015 Ivy Road, Charlottesville, VA 22904